It is commonly believed that simply making passwords longer makes them more secure. In reality, security hinges on entropy — the true measure of unpredictability. This article compares random‐character passwords with word‐based “passphrases,” showing that although passphrases can be easier to remember, their strength depends on the size and randomness of the wordlist. Ultimately, choosing a strong password means balancing true unpredictability with human memorability.
How Strong Are Passphrases Really?
Passphrases are becoming more popular as they appear to be unpredictable for attackers but also easier for the user to remember. But are they secure enough?
A passphrase is a “password” made of three or more random words belonging to a given dictionary. Before diving into it, let us step back and try to understand how we can measure the “quality” of a password.
For simplicity, let us start considering a PIN code of four digits. The number of combinations that one has to try until they get the right one is given by $b^{\ell}$, where $b$ is the base, namely among how many digits one can pick, and $\ell$ the overall length of the password. In our example of a four-digit password, our base consists of $b=10$ digits and the length is $\ell=4$. Therefore, if a person wants to try to guess this code, they have to do at max $10^4=10000$ tries.
The Longer, the Harder? Entropy
Because a brute-force attack ultimately consists of binary decisions — checking each possible value one by one — we need a metric that directly reflects the number of bit-level operations required to cover the entire search space. This metric is called entropy, and it tells us how many bits of uncertainty (i.e., how many binary guesses) are needed to represent all possible combinations:
\[E\equiv\log_2\left(b^{\ell}\right) = \ell \dfrac{\ln(b)}{\ln2}\]Here, (E) represents the number of bits a computer would need to explore all possible combinations in the worst case. The higher the entropy, the harder it is for an attacker to guess the password by brute force. We started from the definition and we re-expressed our formula so that we can compute it with normal calculators.
A four-digits PIN code would have an entropy of $13.29$ bits. In this way, we have re-expressed the number of possible password combinations and therefore necessary guessing attempts for an attacker in binary form.
Let us assume we need a password of at least 20 characters. If we start with just lowercase letters (26 possible characters), we can calculate the entropy of a password generated with random characters. For comparison, let’s consider a passphrase made of four or five random words. Depending on the length of each word, such a passphrase would likely result in a total length around 20 characters or more. While the exact length of a passphrase depends on the words selected, we can approximate that four or five words could yield a passphrase of a similar length to a 20-character random password. This allows us to compare the entropy of both types of passwords when they are roughly the same length.
The Bigger, the Better? Passphrases vs. Passwords
In order to compute the number of possible combinations that make up a passphrase, we first need to consider the size of the dictionary from which the words are drawn. In this analysis, we refer to the EFF large wordlist1, also used by tools like KeePassXC, which includes 7,776 words. This list is structured as a so-called five-dice wordlist, meaning each word can be uniquely selected by rolling five six-sided dice — yielding $6^5 = 7776$ possible outcomes at most. The size of the list becomes our base $b$, and the number of words used in the passphrase becomes the exponent $\ell$ in the total number of combinations:
| Random characters | Passphrase four words | Passphrase five words | |
|---|---|---|---|
| Combination | $26^{20}\approx1.99\times10^{28}$ | $7776^4\approx3.65\times10^{15}$ | $7776^5\approx2.84\times10^{19}$ |
| Entropy (bits) | $94.01$ | $51.70$ | $64.62$ |
A 20-character randomly generated password is significantly less predictable than a passphrase made of four or five random words. As shown in the table, it provides much higher entropy, meaning it’s mathematically much harder to guess or brute-force.
One could argue that we can separate the words with a space or with a random character like + - _ & % $ @ …
In this case, we need to add a new term to the entropy with a base $b_2$, the number of allowed separators2.
\[E\equiv\log_2\left(b^{\ell}\right)+\log_2\left(b_2\right) = \ell \dfrac{\ln(b)}{\ln2}+\dfrac{\ln(b_2)}{\ln2}\]If we consider $b_2=32$ as the number of different special characters, we get:
| Random characters (26) | Passphrase four words | Passphrase five words | |
|---|---|---|---|
| Combination | $26^{20}\approx1.99\times10^{28}$ | $32\times7776^4\approx1.17\times10^{17}$ | $32\times7776^5\approx9.10\times10^{20}$ |
| Entropy (bits) | $94.01$ | $56.70$ | $69.62$ |
As expected, introducing special characters as separators between words increases the entropy by approximately 5 bits. This is because the total number of possible combinations grows with the addition of new symbols, which adds to the unpredictability of the password.
The More Resources, the More Success: How Fast Can a Modern Home Computer Crack Passwords?
Ever wondered how quickly a regular computer can test passwords against common hashing algorithms? We ran a benchmark using Hashcat v6.2.6 on a standard system with an Intel® Core™ Ultra 7 165U CPU and here’s what we found. Even without a dedicated GPU, this modern CPU delivers surprisingly high speeds when testing passwords, especially for older or less complex hash functions.
| Hash type | Speed (Guesses/second) |
|---|---|
| NTHash | 724.8 million H/s |
| MD5 | 388.8 million H/s |
| SHA2-256 | 92.6 million H/s |
| PBKDF2-SHA512 | 14 794 H/s |
| bcrypt | 154 H/s |
These results make one thing clear: Fast hashes (NTHash, MD5, SHA-256) are engineered for throughput and can be cracked at hundreds of millions of attempts per second on consumer hardware. By contrast, password-hashing KDFs (like PBKDF2 and bcrypt) intentionally burn CPU cycles — often with configurable iteration or cost parameters — to slow down brute-force attacks to a trickle. For even stronger defense, memory-hard schemes such as scrypt, Argon2, or yescrypt add memory usage to the cost model, forcing attackers to invest both time and RAM on every guess.
To put this in perspective:
- A password with 60 bits of entropy would take around 90 years to brute-force at a 400 million guesses per second — in theory. In practice? With modern GPU clusters and optimized tools, this can be reduced to 45 days for weak hash functions like SHA1 or NTHash.
- A password with 128 bits of entropy remains computationally infeasible to crack, even with massive distributed systems.
The Higher, the Better? Targeting 128 Bits of Entropy
Let us now fix a target entropy of 128 bits, a value commonly regarded as secure for cryptographic applications and resilient even against large-scale brute-force attacks. The goal is to evaluate how long a password or passphrase must be to achieve this level of security, depending on the generation method.
We consider three scenarios:
- A random string using all 94 printable characters (including lowercase, uppercase, digits, and special symbols)
- A passphrase generated from the EFF large wordlist used by tools like KeePassXC, which contains 7,776 words
- A generic passphrase composed of five or seven words, and we compute how large the wordlist would need to be to achieve 128 bits of entropy
| Entropy target | Random characters (94) | EFF wordlist | Passphrase: five words | Passphrase: seven words |
|---|---|---|---|---|
| $E = 90$ bits | 14 characters | 7 words | $\sim$ 260k-word list | $\sim$ EFF wordlist size |
| $E = 128$ bits | 20 characters | 10 words | $\sim$ 50M-word list | $\sim$ 320k-word list |
This comparison shows that a password made of 20 random characters from a 94-character set reaches 128 bits of entropy. Similarly, one would need ten words from a 7,776-word dictionary (such as the EFF large wordlist) to reach the same level.
Alternatively, fewer words could be used if the dictionary were much larger. For instance, a passphrase of five words would require a dictionary of approximately 50 million entries, while seven words would only require around 320,000 words to provide equivalent security.
For perspective, the vocabulary of an average-educated native English speaker ranges from 20,000 to 35,000 words, while comprehensive unabridged English dictionaries contain 200,000 to 300,000 words. This means that a seven-word passphrase drawn from a sufficiently rich and well-structured wordlist could offer the same cryptographic strength as a highly random and complex password.
Although random strings remain the most compact way to achieve high entropy, passphrases offer a compelling alternative — as long as they are generated with true randomness from a well-designed, sufficiently large wordlist.
Conclusions
The memorability of a passphrase improves significantly with repeated use. A sequence of six or seven randomly chosen words may seem daunting at first, but if entered regularly — for example, as a disk encryption key or system login — it can become familiar over time. In such contexts, the usability advantage of passphrases becomes meaningful.
That said, for credentials that are rarely typed — such as those managed by a password manager or used for API tokens — the benefits of a memorable passphrase diminish. In these cases, dense random strings offer the same level of security with less cognitive overhead.
It’s also important to note that word-based passphrases must be sufficiently long to offer strong protection. A three- or four-word phrase, even if random, rarely provides the same security margin as a properly sized alphanumeric password. This trade-off highlights a key point: Passphrases are not inherently stronger — they must be long enough and truly random to compete with well-generated passwords.
Ultimately, password design should reflect both entropy requirements and real-world usability. Whether it’s a dense, character-based password or a longer, word-based passphrase, the right choice depends on the specific use case and how frequently the secret is used. After all, security is only effective when it aligns with human behavior — and when it strikes the right balance between protection and practicality.
-
https://github.com/leonklingele/passphrase/blob/master/wordlist-eff-large.txt ↩
-
Passphrases generators allow separators of also more than one characters but not different separators. ↩